Email spoofing is one of the most common methods attackers use to impersonate your business. A DMARC record tells email providers how to handle messages that fail authentication checks, protecting your customers, your staff, and your reputation. This tool generates the record for you, correctly formatted and ready to add to your DNS.
Three protocols protect against this:
Tells email providers which servers are authorised to send email from your domain.
Adds a digital signature to every outgoing email, proving the message was not altered in transit.
Ties SPF and DKIM together and tells email providers what to do when a message fails authentication.
Steps
Type your domain name without "www" or "https." For example, yourbusiness.co.uk.
The tool queries Google's public DNS servers to look up your SPF, DKIM, DMARC, and MX records. Everything runs in your browser. Nothing is sent to our servers.
Your domain receives an instant A to F grade based on which protocols are configured and how strong they are.
Each section includes a status (Pass, Warning, or Fail), the actual DNS record found (if any), parsed details, and a plain-English recommendation for what to do next.
Overall Grade
All key protocols are correctly configured.
Most protocols are in place but could be strengthened.
Some gaps that need attention.
Significant gaps that leave your domain exposed.
Your domain has little or no email authentication in place.
v=spf1. The tool reports: Whether an SPF record was found.
How strictly unauthorised senders are handled: Hard Fail is strongest, Soft Fail is a good starting point, and Neutral offers no protection.
How many of the 10 allowed DNS lookups you are using. Exceeding 10 causes the entire record to fail.
Number of direct IP addresses in the record (these do not count against the lookup limit).
If no SPF record is found, use our Generator to create one.
DKIM is checked by looking for TXT records under common selectors such as “google”, “selector1”, and “selector2”. The tool checks 17 commonly used selectors.
Whether a DKIM record was found.
Which selectors have valid DKIM records.
DKIM is typically configured by your email provider (Microsoft 365, Google Workspace, etc.) rather than manually. If no DKIM record is found, check your provider's documentation for instructions on enabling it.
Note: DKIM selectors can be custom, so a “not found” result does not necessarily mean DKIM is not configured. It means no common selectors were detected.
_dmarc.yourdomain.com. Whether a DMARC record was found.
What happens on failure: "none" (monitor only), "quarantine" (send to spam), or "reject" (block entirely).
Whether you have configured a destination for reports, which show you who is sending email from your domain.
What percentage of failing messages the policy applies to.
Whether MX records were found.
Detected provider (Microsoft 365, Google Workspace, Zoho, etc.).
How many mail servers are configured.